Re: Django API CSRF Issues - Need Help

[Neeraj Gahlot]

Hi Chris,
You will have to pass csrf token in http request header while making 
request using AJAX
This can be done by adding following prior to your ajax request.

var csrftoken = $.cookie('csrftoken');
$.ajaxSetup({
headers: { "X-CSRFToken": csrftoken }
});

On Saturday, May 21, 2016 at 7:06:15 AM UTC+5:30, Chris Troutner wrote:
>
> Hey all,
>
> This is my first time posting to the group. I'm working with Bob Hagan 
>  on the Network Resource Planning (NRP) 
> project . The platform runs on 
> Django and he's been using the REST API app to open up ports to some of the 
> pieces of the software. Right now we're working on an interface for 
> creating new users, which requires the passing of a CSRF token for 
> authentication. I'm having a heck of a time and we can't figure out if the 
> issue is something set up on the server or on my front end code. I'm hoping 
> that the issue might be obvious to someone here. 
>
> First of all, you can access the Django API code in the repository code 
> here:
> https://github.com/valnet/valuenetwork/tree/master/valuenetwork/api
>
> My front end code is written in JavaScript can be viewed in it's own 
> repository here:
>
> https://github.com/christroutner/rpiovn/blob/unstable/public/js/app/views/NRPUsersView.js
>
> This video gives a visual overview of the user interface and the general 
> issues I'm experiencing:
> https://youtu.be/vaYCLmsi_hM
>
>
> NRPUsersView.js is a Backbone.js View file. If that doesn't mean anything 
> to you, that's OK. The important thing to notice is the three different 
> ways I tried to access the API.
>
>1. I use JavaScript to fill out an HTML form. This is currently the 
>only way that works at the moment.
>
>2. A typical AJAX POST submission
>
>3. A JavaScript Virtual Form using the FormData object.
>
> Method 3 should be identical to method 1 as far as the server is 
> concerned, but the HTTP headers are slightly different. Like I said, 
> methods 2 and 3 are not working out. I've tweaked the code every which way 
> and I always get a "403 FORBIDDEN Authentication credentials were not 
> provided" message.
>
> According to this Django documentation 
> , there are three 
> possible locations to put the CSRF token:
>
>1. In the document.cookie
>
>2. In the HTTP header preceded by "X-CSRFToken"
>
>3. And a hidden input field in the form
>
>
> I've tried every combination of the three options for passing the CSRF 
> token and haven't had any luck.
>
>
> Has anyone had experience implementing this type of API authentication 
> with Django before? Any help you can provide would be appreciated.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/d67a586f-61e4-4806-a0ac-c76cb3b96f1b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django API CSRF Issues - Need Help

[Chris Troutner]

That's really interesting. Hmm...

Thanks for the feedback.

On Sat, May 21, 2016 at 9:03 AM, Michal Petrucha <
michal.petru...@konk.org> wrote:

> On Sat, May 21, 2016 at 08:55:04AM -0700, Chris Troutner wrote:
> > Yep, no luck. I got the cookie plugin integrated, but it didn't make any
> > difference. The problem isn't with the *retrieval* of the CSRF token,
> it's
> > with the *submission*.
> >
> > If you bring up this code:
> >
> https://github.com/christroutner/rpiovn/blob/unstable/public/js/app/views/NRPUsersView.js
> >
> > And scroll down to the approveUser function, you can see a section marked
> > in comments labeled VIRTUAL FORM. I'm doing to same
> > xhr.setRequestHeader('X-CSRFToken',
> > csrftoken); instruction in Francois' example. The POST submission still
> > results in a 403 Forbidden error.
>
> Hi Chris,
>
> Could you perhaps post the full error message you receive with the 403
> error? The one you posted in the initial post seems to indicate it's
> not a CSRF error at all...
>
> On Fri, May 20, 2016 at 06:34:42PM -0700, Chris Troutner wrote:
> > I've tweaked the code every which way and I always get
> > a "403 FORBIDDEN Authentication credentials were not provided" message.
>
> This message would mean that you haven't provided any authentication
> token, session cookie, or whatever other method your API uses for user
> authentication. In case of a CSRF error, you'd get something like one
> of the following:
>
> REASON_NO_CSRF_COOKIE = "CSRF cookie not set."
> REASON_BAD_TOKEN = "CSRF token missing or incorrect."
>
> Good luck,
>
> Michal
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Django users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/django-users/7FkB_HE446I/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/20160521160339.GM24966%40konk.org
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAB4b19x4%3D0W_NVM4jYrSVsVOoLCrBbe5Lvt1f6J%2BbT067PP0kw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django API CSRF Issues - Need Help

[Michal Petrucha]

On Sat, May 21, 2016 at 08:55:04AM -0700, Chris Troutner wrote:
> Yep, no luck. I got the cookie plugin integrated, but it didn't make any
> difference. The problem isn't with the *retrieval* of the CSRF token, it's
> with the *submission*.
> 
> If you bring up this code:
> https://github.com/christroutner/rpiovn/blob/unstable/public/js/app/views/NRPUsersView.js
> 
> And scroll down to the approveUser function, you can see a section marked
> in comments labeled VIRTUAL FORM. I'm doing to same
> xhr.setRequestHeader('X-CSRFToken',
> csrftoken); instruction in Francois' example. The POST submission still
> results in a 403 Forbidden error.

Hi Chris,

Could you perhaps post the full error message you receive with the 403
error? The one you posted in the initial post seems to indicate it's
not a CSRF error at all...

On Fri, May 20, 2016 at 06:34:42PM -0700, Chris Troutner wrote:
> I've tweaked the code every which way and I always get 
> a "403 FORBIDDEN Authentication credentials were not provided" message.

This message would mean that you haven't provided any authentication
token, session cookie, or whatever other method your API uses for user
authentication. In case of a CSRF error, you'd get something like one
of the following:

REASON_NO_CSRF_COOKIE = "CSRF cookie not set."
REASON_BAD_TOKEN = "CSRF token missing or incorrect."

Good luck,

Michal

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/20160521160339.GM24966%40konk.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Digital signature

Re: Django API CSRF Issues - Need Help

[Chris Troutner]

Yep, no luck. I got the cookie plugin integrated, but it didn't make any
difference. The problem isn't with the *retrieval* of the CSRF token, it's
with the *submission*.

If you bring up this code:
https://github.com/christroutner/rpiovn/blob/unstable/public/js/app/views/NRPUsersView.js

And scroll down to the approveUser function, you can see a section marked
in comments labeled VIRTUAL FORM. I'm doing to same
xhr.setRequestHeader('X-CSRFToken',
csrftoken); instruction in Francois' example. The POST submission still
results in a 403 Forbidden error.

On Sat, May 21, 2016 at 8:31 AM, Chris Troutner 
wrote:

> I was logged in yes, but I also noticed that when I tried to get the
> cookie from the CMS side, it would retrieve a different CSRF token, as
> though I wasn't logged in. Hence the copy and paste I showed in the video.
>
> I'm trying to get this cookie plugin integrated into my code. Maybe it
> will have better luck at retrieving the CSRF token for my logged in user.
>
> On Sat, May 21, 2016 at 8:25 AM, bobhaugen  wrote:
>
>> Chris, I understood you were logged into the django system when you tried
>> these posts. Correct? I thought that would cover authentication thru DRF.
>> But I am also a noob to Javascript client post -> DRF server.
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Django users" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/django-users/7FkB_HE446I/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> django-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to django-users@googlegroups.com.
>> Visit this group at https://groups.google.com/group/django-users.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/aba6b122-5eff-4e67-8237-37ab5df90f69%40googlegroups.com
>> 
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAB4b19yYZmJSus6r3u%2Bg120UMAV2fT50pnPUS%2Bi57mqDL-8O_Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django API CSRF Issues - Need Help

[Chris Troutner]

I was logged in yes, but I also noticed that when I tried to get the cookie
from the CMS side, it would retrieve a different CSRF token, as though I
wasn't logged in. Hence the copy and paste I showed in the video.

I'm trying to get this cookie plugin integrated into my code. Maybe it will
have better luck at retrieving the CSRF token for my logged in user.

On Sat, May 21, 2016 at 8:25 AM, bobhaugen  wrote:

> Chris, I understood you were logged into the django system when you tried
> these posts. Correct? I thought that would cover authentication thru DRF.
> But I am also a noob to Javascript client post -> DRF server.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Django users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/django-users/7FkB_HE446I/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/aba6b122-5eff-4e67-8237-37ab5df90f69%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAB4b19ybN01qNq9C%2BHazF3XF_tr0ZS33HwNvU-bExN3xUqajbQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django API CSRF Issues - Need Help

[bobhaugen]

Chris, I understood you were logged into the django system when you tried 
these posts. Correct? I thought that would cover authentication thru DRF. 
But I am also a noob to Javascript client post -> DRF server.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/aba6b122-5eff-4e67-8237-37ab5df90f69%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django API CSRF Issues - Need Help

[Chris Troutner]

I linked to that page in the original posting. That page describes what 
we're trying to do, but there seems to be a disconnect between what is 
specified and what is actually happening. As near as I can tell, I have 
satisfied the CSRF requirements documented on that page, but I still can't 
seem to get anything other than a 403 error.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/bc80674a-4116-4821-9881-b3ccc4811a6c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django API CSRF Issues - Need Help

[François Schiettecatte]

Is this what you are looking for:

https://docs.djangoproject.com/en/1.9/ref/csrf/

François


> On May 21, 2016, at 10:09 AM, Chris Troutner  wrote:
> 
> Yes, you're right that there is something confusing going on. I confess I 
> don't know much about CSRF or authentication or Django. Because of that, I'm 
> sure I presented it in a confusing way. That's all Bob's side of the stuff. 
> 
> I'm just trying to get my front end JavaScript to interact with the Django 
> server side API and the key to doing that is to pass in the CSRF token in a 
> way that makes Django happy. So far, I haven't figured out how to do that.
> 
> -Chris
> 
> 
> On Saturday, May 21, 2016 at 2:16:17 AM UTC-7, Daniel Roseman wrote:
> On Saturday, 21 May 2016 02:36:15 UTC+1, Chris Troutner wrote:
> Hey all,
> 
> This is my first time posting to the group. I'm working with Bob Hagan on the 
> Network Resource Planning (NRP) project. The platform runs on Django and he's 
> been using the REST API app to open up ports to some of the pieces of the 
> software. Right now we're working on an interface for creating new users, 
> which requires the passing of a CSRF token for authentication. I'm having a 
> heck of a time and we can't figure out if the issue is something set up on 
> the server or on my front end code. I'm hoping that the issue might be 
> obvious to someone here. 
> 
> First of all, you can access the Django API code in the repository code here:
> https://github.com/valnet/valuenetwork/tree/master/valuenetwork/api
> 
> My front end code is written in JavaScript can be viewed in it's own 
> repository here:
> https://github.com/christroutner/rpiovn/blob/unstable/public/js/app/views/NRPUsersView.js
> 
> This video gives a visual overview of the user interface and the general 
> issues I'm experiencing:
> https://youtu.be/vaYCLmsi_hM
> 
> 
> NRPUsersView.js is a Backbone.js View file. If that doesn't mean anything to 
> you, that's OK. The important thing to notice is the three different ways I 
> tried to access the API.
>   • I use JavaScript to fill out an HTML form. This is currently the only 
> way that works at the moment.
> 
>   • A typical AJAX POST submission
> 
>   • A JavaScript Virtual Form using the FormData object.
> Method 3 should be identical to method 1 as far as the server is concerned, 
> but the HTTP headers are slightly different. Like I said, methods 2 and 3 are 
> not working out. I've tweaked the code every which way and I always get a 
> "403 FORBIDDEN Authentication credentials were not provided" message.
> 
> According to this Django documentation, there are three possible locations to 
> put the CSRF token:
>   • In the document.cookie
> 
>   • In the HTTP header preceded by "X-CSRFToken"
> 
>   • And a hidden input field in the form
> 
> I've tried every combination of the three options for passing the CSRF token 
> and haven't had any luck.
> 
> 
> Has anyone had experience implementing this type of API authentication with 
> Django before? Any help you can provide would be appreciated.
> 
> 
> There's something a bit confused here. CSRF is not for authentication, and 
> has nothing to do with it at all; it's a method of preventing a certain class 
> of hack that would permit an attacker to hijack a user's session credentials. 
> It really can't be used to authenticate a user for your API; there are plenty 
> of other token-based ways of doing this.
> -- 
> DR.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-users/1c7788e8-1567-4dcd-9cac-24a518ab7efa%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/3ED7FCFD-3B79-4576-B85F-9788E41D3781%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django API CSRF Issues - Need Help

[Chris Troutner]

Yes, you're right that there is something confusing going on. I confess I 
don't know much about CSRF or authentication or Django. Because of that, 
I'm sure I presented it in a confusing way. That's all Bob's side of the 
stuff. 

I'm just trying to get my front end JavaScript to interact with the Django 
server side API and the key to doing that is to pass in the CSRF token in a 
way that makes Django happy. So far, I haven't figured out how to do that.

-Chris


On Saturday, May 21, 2016 at 2:16:17 AM UTC-7, Daniel Roseman wrote:
>
> On Saturday, 21 May 2016 02:36:15 UTC+1, Chris Troutner wrote:
>>
>> Hey all,
>>
>> This is my first time posting to the group. I'm working with Bob Hagan 
>>  on the Network Resource Planning (NRP) 
>> project . The platform runs on 
>> Django and he's been using the REST API app to open up ports to some of the 
>> pieces of the software. Right now we're working on an interface for 
>> creating new users, which requires the passing of a CSRF token for 
>> authentication. I'm having a heck of a time and we can't figure out if the 
>> issue is something set up on the server or on my front end code. I'm hoping 
>> that the issue might be obvious to someone here. 
>>
>> First of all, you can access the Django API code in the repository code 
>> here:
>> https://github.com/valnet/valuenetwork/tree/master/valuenetwork/api
>>
>> My front end code is written in JavaScript can be viewed in it's own 
>> repository here:
>>
>> https://github.com/christroutner/rpiovn/blob/unstable/public/js/app/views/NRPUsersView.js
>>
>> This video gives a visual overview of the user interface and the general 
>> issues I'm experiencing:
>> https://youtu.be/vaYCLmsi_hM
>>
>>
>> NRPUsersView.js is a Backbone.js View file. If that doesn't mean anything 
>> to you, that's OK. The important thing to notice is the three different 
>> ways I tried to access the API.
>>
>>1. I use JavaScript to fill out an HTML form. This is currently the 
>>only way that works at the moment.
>>
>>2. A typical AJAX POST submission
>>
>>3. A JavaScript Virtual Form using the FormData object.
>>
>> Method 3 should be identical to method 1 as far as the server is 
>> concerned, but the HTTP headers are slightly different. Like I said, 
>> methods 2 and 3 are not working out. I've tweaked the code every which way 
>> and I always get a "403 FORBIDDEN Authentication credentials were not 
>> provided" message.
>>
>> According to this Django documentation 
>> , there are three 
>> possible locations to put the CSRF token:
>>
>>1. In the document.cookie
>>
>>2. In the HTTP header preceded by "X-CSRFToken"
>>
>>3. And a hidden input field in the form
>>
>>
>> I've tried every combination of the three options for passing the CSRF 
>> token and haven't had any luck.
>>
>>
>> Has anyone had experience implementing this type of API authentication 
>> with Django before? Any help you can provide would be appreciated.
>>
>
>
> There's something a bit confused here. CSRF is not for authentication, and 
> has nothing to do with it at all; it's a method of preventing a certain 
> class of hack that would permit an attacker to hijack a user's session 
> credentials. It really can't be used to authenticate a user for your API; 
> there are plenty of other token-based ways of doing this.
> -- 
> DR.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/1c7788e8-1567-4dcd-9cac-24a518ab7efa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django API CSRF Issues - Need Help

[Daniel Roseman]

On Saturday, 21 May 2016 02:36:15 UTC+1, Chris Troutner wrote:
>
> Hey all,
>
> This is my first time posting to the group. I'm working with Bob Hagan 
>  on the Network Resource Planning (NRP) 
> project . The platform runs on 
> Django and he's been using the REST API app to open up ports to some of the 
> pieces of the software. Right now we're working on an interface for 
> creating new users, which requires the passing of a CSRF token for 
> authentication. I'm having a heck of a time and we can't figure out if the 
> issue is something set up on the server or on my front end code. I'm hoping 
> that the issue might be obvious to someone here. 
>
> First of all, you can access the Django API code in the repository code 
> here:
> https://github.com/valnet/valuenetwork/tree/master/valuenetwork/api
>
> My front end code is written in JavaScript can be viewed in it's own 
> repository here:
>
> https://github.com/christroutner/rpiovn/blob/unstable/public/js/app/views/NRPUsersView.js
>
> This video gives a visual overview of the user interface and the general 
> issues I'm experiencing:
> https://youtu.be/vaYCLmsi_hM
>
>
> NRPUsersView.js is a Backbone.js View file. If that doesn't mean anything 
> to you, that's OK. The important thing to notice is the three different 
> ways I tried to access the API.
>
>1. I use JavaScript to fill out an HTML form. This is currently the 
>only way that works at the moment.
>
>2. A typical AJAX POST submission
>
>3. A JavaScript Virtual Form using the FormData object.
>
> Method 3 should be identical to method 1 as far as the server is 
> concerned, but the HTTP headers are slightly different. Like I said, 
> methods 2 and 3 are not working out. I've tweaked the code every which way 
> and I always get a "403 FORBIDDEN Authentication credentials were not 
> provided" message.
>
> According to this Django documentation 
> , there are three 
> possible locations to put the CSRF token:
>
>1. In the document.cookie
>
>2. In the HTTP header preceded by "X-CSRFToken"
>
>3. And a hidden input field in the form
>
>
> I've tried every combination of the three options for passing the CSRF 
> token and haven't had any luck.
>
>
> Has anyone had experience implementing this type of API authentication 
> with Django before? Any help you can provide would be appreciated.
>


There's something a bit confused here. CSRF is not for authentication, and 
has nothing to do with it at all; it's a method of preventing a certain 
class of hack that would permit an attacker to hijack a user's session 
credentials. It really can't be used to authenticate a user for your API; 
there are plenty of other token-based ways of doing this.
-- 
DR.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/64a5a9e4-09d5-4cc1-b7d6-962bc8417411%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Django API CSRF Issues - Need Help

[Chris Troutner]

Hey all,

This is my first time posting to the group. I'm working with Bob Hagan 
 on the Network Resource Planning (NRP) project 
. The platform runs on Django and 
he's been using the REST API app to open up ports to some of the pieces of 
the software. Right now we're working on an interface for creating new 
users, which requires the passing of a CSRF token for authentication. I'm 
having a heck of a time and we can't figure out if the issue is something 
set up on the server or on my front end code. I'm hoping that the issue 
might be obvious to someone here. 

First of all, you can access the Django API code in the repository code 
here:
https://github.com/valnet/valuenetwork/tree/master/valuenetwork/api

My front end code is written in JavaScript can be viewed in it's own 
repository here:
https://github.com/christroutner/rpiovn/blob/unstable/public/js/app/views/NRPUsersView.js

This video gives a visual overview of the user interface and the general 
issues I'm experiencing:
https://youtu.be/vaYCLmsi_hM


NRPUsersView.js is a Backbone.js View file. If that doesn't mean anything 
to you, that's OK. The important thing to notice is the three different 
ways I tried to access the API.

   1. I use JavaScript to fill out an HTML form. This is currently the only 
   way that works at the moment.
   
   2. A typical AJAX POST submission
   
   3. A JavaScript Virtual Form using the FormData object.

Method 3 should be identical to method 1 as far as the server is concerned, 
but the HTTP headers are slightly different. Like I said, methods 2 and 3 
are not working out. I've tweaked the code every which way and I always get 
a "403 FORBIDDEN Authentication credentials were not provided" message.

According to this Django documentation 
, there are three 
possible locations to put the CSRF token:

   1. In the document.cookie
   
   2. In the HTTP header preceded by "X-CSRFToken"
   
   3. And a hidden input field in the form


I've tried every combination of the three options for passing the CSRF 
token and haven't had any luck.


Has anyone had experience implementing this type of API authentication with 
Django before? Any help you can provide would be appreciated.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/98bf719c-db93-4cab-876c-4255261fd95e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.